T1195.003

Compromise Hardware Supply Chain

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices such as servers, workstations, network infrastructure, or peripherals. Real-world examples include UEFI firmware implants (LoJax, CosmicStrand, BlackLotus), compromised network interface card firmware (Equation Group capabilities), and server baseboard management controller (BMC) implants. Detection is inherently constrained because the compromise predates the device's arrival, often manifesting as unexpected kernel-mode drivers, firmware modification activity, anomalous out-of-band management traffic, or covert network channels established through compromised NIC or BMC firmware. Defenders should focus on firmware integrity monitoring, hardware inventory baselining, driver signing verification, and anomalous network activity from system-level processes.

Microsoft Sentinel / Defender

kusto

// T1195.003 — Hardware Supply Chain Compromise
// Detects OS-observable artifacts: unsigned drivers from suspicious paths,
// firmware flash utility execution, unexpected PCI device registration, and
// anomalous System process network activity (NIC firmware beaconing)
let LookbackWindow = ago(24h);
let FirmwareFlashTools = dynamic([
    "afuwin.exe", "afuwin64.exe", "afudos.exe", "fpt.exe", "fptw64.exe",
    "h2offt.exe", "h2offt-wx64.exe", "h2offt-wx86.exe", "flashrom.exe",
    "winphlash.exe", "phlash16.exe", "amifldrv64.sys", "meinfo.exe",
    "meinfowin.exe", "meinfowin64.exe", "fwupdmgr.exe", "chipsec_main.exe"
]);
let SuspiciousDriverPaths = dynamic([
    "\\Temp\\", "\\AppData\\", "\\ProgramData\\",
    "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
let KnownGoodSigners = dynamic([
    "Microsoft Windows", "Microsoft Corporation", "Intel Corporation",
    "Intel(R) Corporation", "Advanced Micro Devices", "NVIDIA Corporation",
    "Realtek Semiconductor", "Broadcom Corporation", "Qualcomm Atheros",
    "Marvell Semiconductor", "Dell Inc", "HP Inc", "Hewlett Packard",
    "Lenovo", "ASUSTek Computer"
]);
union isfuzzy=true
(
    // Branch 1: Kernel drivers loaded from non-standard paths (implant payload delivery)
    DeviceImageLoadEvents
    | where Timestamp > LookbackWindow
    | where FolderPath has_any (SuspiciousDriverPaths)
    | where SignatureState !in~ ("SignedValid")
    | extend DetectionBranch = "Unsigned Driver From Non-Standard Path"
    | extend RiskDetail = strcat("Driver: ", FileName, " | Signer: ", iif(isempty(Signer), "UNSIGNED", Signer), " | State: ", SignatureState, " | Path: ", FolderPath)
    | project Timestamp, DeviceName, AccountName, DetectionBranch, FileName, FolderPath, Signer, SignatureState, SHA256, RiskDetail
),
(
    // Branch 2: Firmware flash utilities executing outside vendor update processes
    DeviceProcessEvents
    | where Timestamp > LookbackWindow
    | where FileName has_any (FirmwareFlashTools)
        or ProcessCommandLine has_any (FirmwareFlashTools)
    | where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "install.exe", "Update.exe", "DellUpdate.exe", "HPFirmwareUpdRec.exe")
    | extend DetectionBranch = "Firmware Flash Utility Execution"
    | extend RiskDetail = strcat("Tool: ", FileName, " | CmdLine: ", ProcessCommandLine, " | Parent: ", InitiatingProcessFileName)
    | project Timestamp, DeviceName, AccountName, DetectionBranch, FileName, FolderPath, Signer = "", SignatureState = "", SHA256, RiskDetail
),
(
    // Branch 3: New PCI device registry keys created by unexpected processes
    DeviceRegistryEvents
    | where Timestamp > LookbackWindow
    | where ActionType == "RegistryKeyCreated"
    | where RegistryKey matches regex @"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_[A-F0-9]{4}&DEV_[A-F0-9]{4}"
    | where InitiatingProcessFileName !in~ ("services.exe", "drvinst.exe", "setuphost.exe", "DrvInst.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
    | extend DetectionBranch = "Unexpected PCI Device Registration"
    | extend RiskDetail = strcat("New PCI key: ", RegistryKey, " | Process: ", InitiatingProcessFileName, " | PID: ", tostring(InitiatingProcessId))
    | project Timestamp, DeviceName, AccountName = "", DetectionBranch, FileName = InitiatingProcessFileName, FolderPath = RegistryKey, Signer = "", SignatureState = "", SHA256 = "", RiskDetail
),
(
    // Branch 4: Kernel driver service installation (Event ID 7045) with kernel type
    SecurityEvent
    | where TimeGenerated > LookbackWindow
    | where EventID == 7045
    | extend ServiceName = tostring(EventData.ServiceName)
    | extend ServiceType = tostring(EventData.ServiceType)
    | extend ImagePath = tostring(EventData.ImagePath)
    | where ServiceType has_any ("kernel mode driver", "file system driver")
    | where ImagePath has_any (SuspiciousDriverPaths)
    | extend DetectionBranch = "Kernel Driver Service Installed From Suspicious Path"
    | extend RiskDetail = strcat("Service: ", ServiceName, " | Type: ", ServiceType, " | Path: ", ImagePath)
    | project Timestamp = TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, DetectionBranch, FileName = ServiceName, FolderPath = ImagePath, Signer = "", SignatureState = "", SHA256 = "", RiskDetail
)
| sort by Timestamp desc

critical severity low confidence

Data Sources

Driver: Driver Load Process: Process Creation Windows Registry: Windows Registry Key Creation Windows Registry: Windows Registry Key Modification Firmware: Firmware Modification Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceProcessEvents DeviceRegistryEvents SecurityEvent

False Positives

Hardware vendor management software (Dell SupportAssist, HP Support Assistant, Lenovo Vantage) legitimately executes firmware flash utilities and installs drivers during scheduled updates — filter by known vendor parent processes and scheduled maintenance windows
Windows Update and Windows Driver Framework (drvinst.exe, setuphost.exe, TrustedInstaller.exe) legitimately create PCI registry keys and install drivers during OS updates — these processes are explicitly excluded but verify parent process chains
IT administrators running firmware audit tools (chipsec, flashrom in read-only mode, MEInfo) for inventory or security assessments — coordinate with asset management teams to identify authorized audit activity
New hardware installations (RAM, PCIe NIC, GPU, storage controllers) added by IT staff post-deployment legitimately trigger PCI device registration events — correlate with IT change tickets
Pre-production hardware validation labs where firmware is legitimately flashed as part of manufacturing QA processes — these environments may need separate detection policies
Third-party hardware management agents (Dell OMSA, HPE iLO Amplifier, Lenovo XClarity) may load drivers from non-standard installation paths during their own setup procedures

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System")
| eval lower_image=lower(coalesce(ImageLoaded, Image, ""))
| eval lower_cmdline=lower(coalesce(CommandLine, ImagePath, ""))
| eval lower_service_type=lower(coalesce(ServiceType, ""))
`comment("--- Detection Branch Flags ---")`
| eval is_firmware_tool=if(
    (EventCode=1 OR EventCode=4688) AND match(lower_cmdline,
    "(afuwin|afudos|\bfpt\.exe|fptw64|h2offt|winphlash|phlash16|amifldrv64|meinfo|flashrom|fwupdmgr|chipsec_main)"),
    1, 0)
| eval is_suspicious_driver_path=if(
    EventCode=6 AND match(lower_image,
    "(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\temp\\\\)"),
    1, 0)
| eval is_unsigned_driver=if(
    EventCode=6 AND (Signed="false" OR Signed="0" OR match(lower(coalesce(Signed,"")), "^(false|no|0)$")),
    1, 0)
| eval is_kernel_driver_service=if(
    EventCode=7045 AND match(lower_service_type, "(kernel mode driver|file system driver)") AND
    match(lower_cmdline, "(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\windows\\\\temp\\\\)"),
    1, 0)
`comment("--- Filter to relevant events only ---")`
| where (is_firmware_tool=1 OR is_suspicious_driver_path=1 OR is_unsigned_driver=1 OR is_kernel_driver_service=1)
`comment("--- Assign detection categories ---")`
| eval detection_category=case(
    is_firmware_tool=1, "Firmware Flash Utility Execution",
    is_suspicious_driver_path=1 AND is_unsigned_driver=1, "Unsigned Driver From Suspicious Path",
    is_suspicious_driver_path=1, "Driver Loaded From Non-Standard Path",
    is_unsigned_driver=1, "Unsigned Kernel Driver Load",
    is_kernel_driver_service=1, "Kernel Driver Service Installed From Suspicious Path",
    true(), "Unknown Hardware Anomaly"
)
| eval risk_score=is_firmware_tool + is_suspicious_driver_path + is_unsigned_driver + is_kernel_driver_service
| eval risk_detail=case(
    EventCode=6, "Driver: ".ImageLoaded." | Signed: ".Signed." | Sig: ".coalesce(Signature, "N/A"),
    EventCode=1 OR EventCode=4688, "Process: ".Image." | CmdLine: ".CommandLine,
    EventCode=7045, "Service: ".ServiceName." | Type: ".ServiceType." | Path: ".ImagePath,
    true(), "Event: ".EventCode
)
| table _time, host, detection_category, risk_score, risk_detail, EventCode, User, ImageLoaded, Image, CommandLine, Signed, Signature, ServiceName, ServiceType, ImagePath
| sort - risk_score - _time

critical severity low confidence

Data Sources

Driver: Driver Load Process: Process Creation Firmware: Firmware Modification Sysmon Event ID 6 Sysmon Event ID 1 Windows System Event ID 7045

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:System

False Positives

Hardware vendor management suites (Dell SupportAssist, HP Support Assistant, Lenovo Vantage) legitimately run firmware flash utilities during scheduled updates — establish an allowlist of known vendor binaries and their parent process chains
Windows Update process (TrustedInstaller.exe, WUauclt.exe) installs unsigned drivers during Windows Upgrade scenarios — check the Sysmon Signature field for Microsoft signatures that may not be classified as SignedValid during upgrade
IT administrators using chipsec, flashrom, or MEInfo for authorized firmware auditing — coordinate with security team to document authorized hardware audit windows
Industrial/OT environments where legacy hardware drivers legitimately lack digital signatures — consider a separate baseline policy for OT segment endpoints
Penetration testing or red team exercises that deliberately load test drivers — coordinate with testing teams to whitelist test activity time windows
Hardware provisioning workstations used to image machines may run vendor firmware tools as part of their normal workflow — identify and exclude provisioning host accounts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "EventID",
  "ImageLoaded",
  "Image",
  "CommandLine",
  "Signed",
  "ServiceName",
  "ServiceType",
  "ImagePath",
  CASE
    WHEN "EventID" = '1'
      AND (LOWER("CommandLine") LIKE '%afuwin%' OR LOWER("CommandLine") LIKE '%afudos%'
        OR LOWER("CommandLine") LIKE '%fpt.exe%' OR LOWER("CommandLine") LIKE '%fptw64%'
        OR LOWER("CommandLine") LIKE '%h2offt%' OR LOWER("CommandLine") LIKE '%winphlash%'
        OR LOWER("CommandLine") LIKE '%phlash16%' OR LOWER("CommandLine") LIKE '%amifldrv64%'
        OR LOWER("CommandLine") LIKE '%meinfo%' OR LOWER("CommandLine") LIKE '%flashrom%'
        OR LOWER("CommandLine") LIKE '%fwupdmgr%' OR LOWER("CommandLine") LIKE '%chipsec_main%')
    THEN 'Firmware Flash Utility Execution'
    WHEN "EventID" = '6'
      AND "Signed" = 'false'
      AND (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
        OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%'
        OR LOWER("ImageLoaded") LIKE '%\\windows\\temp\\%')
    THEN 'Unsigned Driver From Suspicious Path'
    WHEN "EventID" = '6'
      AND (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
        OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%')
    THEN 'Driver From Non-Standard Path'
    WHEN "EventID" = '7045'
      AND (LOWER("ServiceType") LIKE '%kernel mode driver%' OR LOWER("ServiceType") LIKE '%file system driver%')
      AND (LOWER("ImagePath") LIKE '%\\temp\\%' OR LOWER("ImagePath") LIKE '%\\appdata\\%'
        OR LOWER("ImagePath") LIKE '%\\programdata\\%' OR LOWER("ImagePath") LIKE '%\\windows\\temp\\%')
    THEN 'Kernel Driver Service From Suspicious Path'
    ELSE 'Unknown'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    (
      "EventID" = '1' AND
      (LOWER("CommandLine") LIKE '%afuwin%' OR LOWER("CommandLine") LIKE '%afudos%'
       OR LOWER("CommandLine") LIKE '%fpt.exe%' OR LOWER("CommandLine") LIKE '%fptw64%'
       OR LOWER("CommandLine") LIKE '%h2offt%' OR LOWER("CommandLine") LIKE '%winphlash%'
       OR LOWER("CommandLine") LIKE '%phlash16%' OR LOWER("CommandLine") LIKE '%amifldrv64%'
       OR LOWER("CommandLine") LIKE '%meinfo%' OR LOWER("CommandLine") LIKE '%flashrom%'
       OR LOWER("CommandLine") LIKE '%fwupdmgr%' OR LOWER("CommandLine") LIKE '%chipsec_main%')
    )
    OR (
      "EventID" = '6' AND
      (LOWER("ImageLoaded") LIKE '%\\temp\\%' OR LOWER("ImageLoaded") LIKE '%\\appdata\\%'
       OR LOWER("ImageLoaded") LIKE '%\\programdata\\%' OR LOWER("ImageLoaded") LIKE '%\\users\\public\\%'
       OR LOWER("ImageLoaded") LIKE '%\\windows\\temp\\%')
    )
    OR (
      "EventID" = '7045' AND
      (LOWER("ServiceType") LIKE '%kernel mode driver%' OR LOWER("ServiceType") LIKE '%file system driver%') AND
      (LOWER("ImagePath") LIKE '%\\temp\\%' OR LOWER("ImagePath") LIKE '%\\appdata\\%'
       OR LOWER("ImagePath") LIKE '%\\programdata\\%' OR LOWER("ImagePath") LIKE '%\\windows\\temp\\%')
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Windows Sysmon

Required Tables

events

False Positives

Enterprise patch management systems (Ivanti, BigFix, Tanium) distributing OEM firmware update packages that invoke flash utilities from managed staging directories in ProgramData
OS deployment workflows (MDT, WDS) that extract and install signed drivers from temporary working directories created during automated imaging sequences
Vendor hardware diagnostic and validation tooling (Dell SupportAssist, HP PC Hardware Diagnostics) invoking firmware inspection utilities during scheduled health checks

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceName=*WinEventLog*)
| where _raw matches /EventCode[>=]+(1|6|7045)/
| parse regex "(?i)EventCode[^>]*>(?P<event_code>\d+)" nodrop
| parse regex "(?i)ImageLoaded[^>]*>(?P<image_loaded>[^<]+)" nodrop
| parse regex "(?i)(?<![a-zA-Z])Image[^>]*>(?P<proc_image>[^<]+)" nodrop
| parse regex "(?i)CommandLine[^>]*>(?P<command_line>[^<]+)" nodrop
| parse regex "(?i)Signed[^>]*>(?P<signed>[^<]+)" nodrop
| parse regex "(?i)ServiceName[^>]*>(?P<service_name>[^<]+)" nodrop
| parse regex "(?i)ServiceType[^>]*>(?P<service_type>[^<]+)" nodrop
| parse regex "(?i)ImagePath[^>]*>(?P<image_path>[^<]+)" nodrop
| where event_code in ("1", "6", "7045")
| eval lower_cmdline = toLowerCase(if(isNull(command_line), "", command_line))
| eval lower_image = toLowerCase(if(!isNull(image_loaded), image_loaded, if(!isNull(proc_image), proc_image, "")))
| eval lower_service_type = toLowerCase(if(isNull(service_type), "", service_type))
| eval lower_image_path = toLowerCase(if(isNull(image_path), "", image_path))
| eval is_firmware_tool = if(event_code = "1" and (
    contains(lower_cmdline, "afuwin") or contains(lower_cmdline, "afudos") or
    contains(lower_cmdline, "fpt.exe") or contains(lower_cmdline, "fptw64") or
    contains(lower_cmdline, "h2offt") or contains(lower_cmdline, "winphlash") or
    contains(lower_cmdline, "phlash16") or contains(lower_cmdline, "amifldrv64") or
    contains(lower_cmdline, "meinfo") or contains(lower_cmdline, "flashrom") or
    contains(lower_cmdline, "fwupdmgr") or contains(lower_cmdline, "chipsec_main")), 1, 0)
| eval is_suspicious_driver_path = if(event_code = "6" and (
    contains(lower_image, "\\temp\\") or contains(lower_image, "\\appdata\\") or
    contains(lower_image, "\\programdata\\") or contains(lower_image, "\\users\\public\\") or
    contains(lower_image, "\\windows\\temp\\")), 1, 0)
| eval is_unsigned_driver = if(event_code = "6" and (signed = "false" or signed = "0" or signed = "no"), 1, 0)
| eval is_kernel_driver_svc = if(event_code = "7045" and
    (contains(lower_service_type, "kernel mode driver") or contains(lower_service_type, "file system driver")) and
    (contains(lower_image_path, "\\temp\\") or contains(lower_image_path, "\\appdata\\") or
     contains(lower_image_path, "\\programdata\\") or contains(lower_image_path, "\\windows\\temp\\")), 1, 0)
| where is_firmware_tool = 1 or is_suspicious_driver_path = 1 or is_unsigned_driver = 1 or is_kernel_driver_svc = 1
| eval detection_category = if(is_firmware_tool = 1, "Firmware Flash Utility Execution",
    if(is_suspicious_driver_path = 1 and is_unsigned_driver = 1, "Unsigned Driver From Suspicious Path",
    if(is_suspicious_driver_path = 1, "Driver From Non-Standard Path",
    if(is_kernel_driver_svc = 1, "Kernel Driver Service From Suspicious Path", "Unknown"))))
| eval risk_score = is_firmware_tool + is_suspicious_driver_path + is_unsigned_driver + is_kernel_driver_svc
| table _messageTime, _sourceHost, detection_category, risk_score, event_code, proc_image, image_loaded, command_line, signed, service_name, service_type, image_path
| sort by risk_score desc, _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic collector Windows System Event Log via Sumo Logic collector

Required Tables

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System

False Positives

Enterprise firmware update management platforms (Ivanti Neurons, Tanium Patch) deploying BIOS or NIC firmware updates through system management agents that use non-standard staging paths
OEM hardware lifecycle management tools (Dell Command Update, HP Support Assistant) that temporarily stage and execute flash utilities in AppData or ProgramData during update workflows
Platform security teams running authorized firmware integrity tools (flashrom, chipsec) against endpoints as part of hardware supply chain verification audits

Google Chronicle / SecOps

yaral

rule hardware_supply_chain_compromise_t1195_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1195.003 hardware supply chain compromise: firmware flash utility execution, unsigned kernel drivers loaded from non-standard writable paths, and kernel driver service installation from suspicious locations."
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1195/003/"

  events:
    (
      (
        // Branch 1: Firmware flash utility execution not initiated by known vendor updaters
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex($e.target.process.file.full_path,
          `(?i)(afuwin(64)?\.exe|afudos\.exe|fptw?(64)?\.exe|h2offt(-wx(64|86))?\.exe|flashrom\.exe|winphlash\.exe|phlash16\.exe|amifldrv64\.sys|meinfo(win)?(64)?\.exe|fwupdmgr\.exe|chipsec_main\.exe)`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(msiexec\.exe|setup\.exe|install\.exe|update\.exe|dellupdate\.exe|hpfirmwareupdrecov\.exe|lenovo.*update\.exe)`)
      ) or
      (
        // Branch 2: Unsigned kernel driver loaded from non-standard writable path
        $e.metadata.event_type = "DRIVER_LOAD" and
        re.regex($e.target.file.full_path,
          `(?i)\\(temp|appdata|programdata|users\\public|windows\\temp)\\`) and
        $e.target.file.pe_file.signature_status != "SIGNED"
      ) or
      (
        // Branch 3: Kernel driver service created with image path in suspicious location
        $e.metadata.event_type = "SERVICE_CREATION" and
        re.regex($e.target.resource.name,
          `(?i)\\(temp|appdata|programdata|windows\\temp)\\`) and
        re.regex($e.target.resource.attribute.labels["ServiceType"],
          `(?i)(kernel mode driver|file system driver)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Sysmon via Chronicle ingestion Windows Security Event Log via Chronicle ingestion Windows System Event Log via Chronicle ingestion

Required Tables

UDM events: PROCESS_LAUNCH, DRIVER_LOAD, SERVICE_CREATION

False Positives

OEM BIOS and firmware update workflows (HP BIOSphere, Dell BIOS Connect, Lenovo ThinkShield) where firmware utilities launch outside their standard vendor updater parent process chain due to rescheduled or deferred update execution
IT asset provisioning pipelines that stage and execute firmware validation or update binaries in writable directories as part of automated hardware onboarding
Open-source firmware audit tools (flashrom, chipsec) invoked by authorized hardware security teams under change-controlled conditions on non-production endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|DriverLoad|ModuleLoad)$/
| eval lower_filename = lower(FileName ?? "")
| eval lower_cmdline = lower(CommandLine ?? "")
| eval lower_imagepath = lower(ImageFileName ?? FileName ?? "")
| eval lower_parent = lower(ParentBaseFileName ?? "")
| eval is_firmware_tool = (
    #event_simpleName = "ProcessRollup2" and
    (
      lower_filename = /^(afuwin(64)?|afudos|fptw?(64)?|h2offt(-wx(64|86))?|flashrom|winphlash|phlash16|meinfo(win)?(64)?|fwupdmgr|chipsec_main)\.exe$/ or
      lower_cmdline = /(afuwin|afudos|fpt\.exe|fptw64|h2offt|winphlash|phlash16|amifldrv64|meinfo|flashrom|fwupdmgr|chipsec_main)/
    ) and
    not lower_parent = /(msiexec\.exe|setup\.exe|install\.exe|update\.exe|dellupdate\.exe|hpfirmwareupdrecov\.exe)/
  )
| eval is_suspicious_driver = (
    #event_simpleName in ("DriverLoad", "ModuleLoad") and
    lower_imagepath = /(\\temp\\|\\appdata\\|\\programdata\\|\\users\\public\\|\\windows\\temp\\)/
  )
| where is_firmware_tool or is_suspicious_driver
| eval detection_category = case(
    is_firmware_tool, "Firmware Flash Utility Execution",
    is_suspicious_driver, "Driver or Module Loaded From Suspicious Path",
    "Unknown Hardware Anomaly"
  )
| eval risk_indicators = if(is_firmware_tool, "firmware_tool ", "") + if(is_suspicious_driver, "suspicious_driver_path", "")
| table([timestamp, ComputerName, UserName, detection_category, risk_indicators, FileName, CommandLine, ImageFileName, ParentBaseFileName, MD5HashData, SHA256HashData])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor Falcon Data Replicator

Required Tables

ProcessRollup2 DriverLoad ModuleLoad

False Positives

Vendor OEM firmware update agents (DellUpdate.exe, HP Support Assistant, Lenovo System Update) that spawn licensed firmware flash utilities during scheduled or user-initiated update windows, resulting in known-good tools appearing under non-standard parent processes
Enterprise endpoint management platforms (Tanium, BigFix, Microsoft Endpoint Configuration Manager) that distribute and execute firmware validation or update binaries using Falcon-visible process execution paths through Temp or ProgramData staging directories
Authorized red team or hardware security engineering workflows invoking firmware inspection tools (chipsec, flashrom) from non-standard paths on designated test endpoints under change-control approval

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1195.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.001Compromise Software Dependencies and Development Tools T1195.002Compromise Software Supply Chain

Compromise Hardware Supply Chain

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections